Towards a Secure Web-Based Health Care Application

INTRODUCTION In healthcare a lot of data are generated that in turn will have to be accessed from several departments of a hospital. The information kept within the information system of a hospital includes sensitive personal data that reveal the most intimate aspects of an individual’s life. Therefore, it is extremely important to regard data protection laws, privacy regulations, and other security requirements. When designing information systems for healthcare purposes, it is an imperative to implement appropriate access control mechanisms and other safeguards. Furthermore, a tendency to use the Internet as a communications media can be observed. As the Internet is an insecure transmission media, the security requirements that must be met by the overall system are high. During the project MobiMed (Privacy and Efficiency of Mobile Medical Systems; further information about the project can be found at http:// www.ifi.unizh.ch/ikm/MobiMed/), a prototype was developed to show the feasibility of the implementation of security mechanisms required in a Webbased healthcare application.

[1]  Terry Winograd,et al.  The Action Workflow Approach to Workflow Management Technology , 1993, Inf. Soc..

[2]  Régis Beuscart,et al.  Dynamic workflow model for complex activity in intensive care unit , 1999, Int. J. Medical Informatics.

[3]  Ross Anderson,et al.  Security in Clinical Information Systems , 1996 .

[4]  Konstantin Knorr,et al.  Security of Electronic Business Applications - Structure and Quantification , 2000, EC-Web.

[5]  H. Weidner,et al.  Rapid Secure Development. Ein Verfahren zur Definition einesInternet-Sicherheitskonzeptes , 1999 .

[6]  Ulrich Ultes-Nitsche,et al.  Secure Access to Medical Data over the Internet , 2000, ECIS.

[7]  Walter Fumy,et al.  Principles of Key Management , 1993, IEEE J. Sel. Areas Commun..

[8]  Thomas C. Rindfleisch,et al.  Privacy, information technology, and health care , 1997, CACM.

[9]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[10]  Jean-Marc Geib,et al.  A new architecture for supporting group work in the field of health care , 1994, Proceedings of 3rd IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[11]  James H. Burrows Guidelines for Security of Computer Applications , 1980 .

[12]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[13]  Ross J. Anderson,et al.  Information technology in medical practice: safety and privacy lessons from the United Kingdom , 1999, The Medical journal of Australia.

[14]  Alan O. Freier,et al.  SSL Protocol Version 3.0 Internet Draft , 1996 .

[15]  Ralph Holbein,et al.  Secure information exchange in organisations: an approach for solving the information misuse problem , 1996 .

[16]  Daniel R. Masys,et al.  PCASSO: a design for secure communication of personal health information via the internet , 1999, Int. J. Medical Informatics.

[17]  Ravi S. Sandhu,et al.  Towards a task-based paradigm for flexible and adaptable access control in distributed applications , 1993, NSPW '92-93.

[18]  G. Barnett,et al.  Maintaining the Confidentiality of Medical Records Shared over the Internet and the World Wide Web , 1997, Annals of Internal Medicine.

[19]  Bernd Blobel Security requirements and solutions in distributed electronic health records , 1997, SEC.

[20]  Ann Raven,et al.  Consider It Pure Joy: An Introduction to Clinical Trials , 1997 .

[21]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[22]  Larry Wall,et al.  Programming Perl , 1991 .

[23]  Marc Branchaud,et al.  A SURVEY OF PUBLIC- KEY INFRASTRUCTURES , 1997 .